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A method of providing access for a subscriber terminal (8) to services of an Internet Service Provider (ISP, 6) through the Internet 
(1). The tenninal (8) is connected to the Internet (1) via an Internet Access Server OAS, 8) and transmits a log-on request to a node (9) 
in the Internet (1). The node (9) comprises a database (11) containing audientlcadon data relating to subscribers of a home network which 
controls the node (9). The tenninal (8) is authenticated using the database (11) and authentication data is returned to the tenninal (8). Part 
of the authentication data is then transmitted from the terminal (8) to the ISP (6). which in turn transmits an authentication request to die 
authentication node (9). The node (9) returns an authorisation to the ISP (6) and, in response, the ISP (6) allows the subscriber tenninal 
(8) to access its services. 
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SERVICE PROVIDER ACCESS METHOD AND APPARATUS 

PtaIH nf 1rhfi> Tnyention 

5 The present invention relates to a service provider 
access method and apparatus and in particular, though 
not necessarily, to the collection of charge data for 
accessing an Internet service provider via the Internet. 

The conventional way for a home user of a personal 
computer (PC) to access the Internet is to set up a 
telephone call, via his telephone operator provided with 

15 a modem pool, to an Internet service provider. The 

service provider allocates an Internet address to the PC 
("subscriber terminal") for the duration of a session 
and acts as a router and protocol converter for data 
transmitted between the Internet and the subscriber 

20 terminal . 

More recently, it has been proposed to combine the 
functionality of the Internet service provider into 
certain exchanges of the telephone network. An 
25 advantage of this is that the subscriber need only 
receive a single bill for both telephone calls and 
Internet access. 

Exchanges provided with this facility are accessed by 
30 subscribers dialing a predefined access number. The 
exchanges contain intelligence (sometimes described as 
an "intelligent network") which enables them to 
recognise that a call received to this number is an 
Internet access request. In response, the exchange 
35 provides a connection between the subscriber terminal 
(or rather "line") and the Internet via one of a number 



wo 99/59375 



PCT/EP99/03085 



of so-called Internet Access Servers (lASs)- 
alternatively known as Network Access Servers (NASs) . 
An IAS acts as a multiplexer/demultiplexer between a 
number of low capacity subscriber lines and a high 
5 capacity trunk line connecting to the Internet. The IAS 
also acts as a protocol converter, converting the 
circuit switched protocol of the telephone network into 
a packet Internet protocol and vice versa. In the case 
of digital cellular telephone networks (e.g. the Global 
10 System for Mobile Communications) , an IAS may be 
accessed from a mobile terminal using a special 
signaling protocol to set up a data channel between the 
IAS and the mobile terminal. 

15 It is often the case that a subscriber connects, via the 
Internet, to some remote Internet Service Provider (ISP) 
- sometimes referred to as a "content provider'' - who 
offers chargeable services to the subscriber, or with 
whom orders for products may be placed. In this case, 

20 it is possible to transmit charging information from the 
ISP to the IAS and through that to the billing 
coordinator of the access network. 

This solution to the problem of providing a subscriber 
25 with a single bill covering both telephone and Internet 
services works satisfactorily providing that the 
subscriber only wishes to access the Internet via his 
own or "home" telephone network. More and more however, 
subscribers are demanding service mobility - the ability 
30 to access the Internet from various geographical 

locations not covered. by the home network but instead 
where Internet access is available via some other means 
(e.g. the telephone network of some "foreign" operator 
or a local area network) . This is particularly true in 
35 the case of mobile cellular telephone subscribers who 
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may be able to roam across national borders with a 
single piece of communication hardware. 

In order to meet this demand for mobility and for the 
5 amalgamation of charges into a single bill, it is 

necessary to provide firstly for the authentication of 
subscribers attempting to access the ISP via a visitor 
telephone network, and secondly for the repatriation of 
charging information to the subscribers' home telephone 
10 networks. 

Summary nf hhp Tnvpnf- i rin 

It is an object of the invention to overcome or at least 

15 mitigate the disadvantages of known Internet charging 

systems vis-S-vis the combining of telephone and 

Internet charging data whilst providing for subscriber 
mobility. 

20 According to a first aspect of the present invention 
there is provided a method of providing access for a 
subscriber to services of a service provider through a 
data network, the subscriber being a subscriber of a 
home interface network, the method comprising the steps 

25 of: 

connecting a subscriber terminal to said data 
network; 

transmitting a log-bn request for the subscriber 
terminal from the terminal to a node in the data 
30 network, said node having a data network address and 
comprising a database containing authentication data 
relating to subscribers of the home interface network 
which controls said node; 

authenticating the subscriber terminal using the 
35 data contained in said database and returning 
authentication data to the subscriber terminal; 
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transmitting at least part of the authentication 
data from the subscriber terminal to the service 
providers- 
transmitting an authentication request from the 
5 service provider to the authentication node, and 

returning an authorisation to the service provider; and 

in response to receipt of authorisation from the 
authentication node, allowing the subscriber terminal to 
access services of the service provider via the data 
10 network. 

As the node comprising the authentication database is 
controlled by the home network, the node can be trusted 
to provide secure authentication data to the 
15 interrogating service provider. 

Embodiments of the present invention enable the 
authentication of a subscriber terminal connected to the 
data network and hence the conf irmation ;of the right of 

20 the service provider to charge the subscriber terminal 
for the right to access its services. Charging 
information may then be repatriated to the subscriber 
terminal ' s home network where it may be incorporated 
into a single charging system maintained by the home 

25 network . 

Preferably, the data network is the Internet and said 
node is an Internet node having an Internet Protocol 
(IP) address, e.g. a Universal Resource Locator (URL) 

30 address. More preferably, the home network comprises a 
telecommunication network, such as a Public Switched 
Telephone Network (PSTN) having an Internet access 
server or a modem pool. Alternatively, the 
telecommunication network may be a cellular radio 

35 telephone network having a direct access gateway. 
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The subscriber teirminal may be connected to the data 
network via a visitor network comprising a PSTN and an 
access server or modem pool, similar to the home 
network. Alternatively, connection to the data network 
5 may be through a local area network and an Internet 
access server. 

The database of the authentication node may contain the 
home number of the subscriber (A-number) , together with 
10 a Username and a password. Said log-on request then 

contains the Username and password which are verified by 
the node, together with a network address allocated to 
the subscriber terminal in the data network. 

15 The authentication data returned to the . subscriber 

terminal preferably comprises an access computer program 
and a user identification (UID) . This computer program 
may be in the form of an applet which causes the 
subscriber terminal to transmit, at regular intervals, a 

20 confirmation message to the authentication node. At 
least the UID is then transmitted from the subscriber 
terminal to the service provider. The service provider 
polls the network node, using the terminal's network 
address and UID to confirm the continued authorisation 

25 of the terminal. 

In an embodiment of the invention, the home network has 
control of a second node in the data network, which node 
also has an address in that network and acts as a 
30 collector of charging information for the service, 
provider. More preferably, the authentication node 
records charging data for the subscriber terminal and 
subsequently transfers this to the charging node. 

35 In an alternative embodiment of the invention, the 
service provider has permission to access a second 
authentication node controlled by said visitor network 
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or another "foreign" network. The method comprises the 
further step of transmitting an authentication request 
on behalf of the subscriber terminal to the second 
authentication node. When the "home" node has verified 

5 that the terminal is a subscriber of said home network, 
the second authentication node communicates with the 
home authentication node, to both authenticate the 
subscriber terminal and to receive subscriber identity 
data, e.g. the subscriber's telephone number (A-number) . 

0 The second authentication node then transfers charging 
data to a charging node of the service provider. The 
charging node of the service provider can then forward 
charging information to the charging node of the home 
network. 

5 

Individual charging requests may be made from the 
charging node of the service provider to the 
authentication node of the home network. These requests 
may then be referred by the authentication node of the 
D home network to the subscriber terminal for approval or 
rejection. The decision of the subscriber terminal is 
then transferred back to the service provider's charging 
node via the home network's authentication node, 

5 According to a second aspect of the present invention 
there is provided apparatus for providing access for a 
subscriber to services of a service provider through a 
data network, the subscriber being a subscriber of a 
home interface network, the apparatus comprising: 

0 connection means for connecting a siibscriber 

terminal to a data network; 

a data network node having a data network address 
and comprising a database containing authentication data 
relating to subscribers of the home interface network 

5 which controls said node; 
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first transmission means for transmitting a log-on 
request for the subscriber teinninal from the terminal to 
said node; 

means for authenticating the subscriber terminal 
5 using the data contained in said dateibase and for 
returning authentication data to the subscriber 
• terminal ; . 

second transmission means for transmitting at least 
part of the authentication data from the subscriber 
iO terminal to the service provider; 

third transmission means for transmitting an 
authentication request from the service provider to the 
authentication node, and returning an authorisation to 
the service provider; and 
15 processing means arranged, in response to receipt 

of authorisation from the authentication node, to allow 
the subscriber terminal to access services of the 
service provider via the data network. 

20 

BriRf DfiRrT-iphion nf M-ip Drawl ng« 

For a better understanding of the present invention and 
in order to show how the same may be carried into effect 
25 reference will now be made, by way of example, to the 
accompanying drawings, in which: 

Figure 1 shows schematically an Internet access 
network; 

Figure 2 is a flow diagram illustrating the method 
30 of operation of the network of Figure 1; and 

Figure 3 shows schematically a first modification 
to the network of Figure 1 . 

Dfifa-ilfid nftRrript-ion nf Rrnhnrii m^nfg 

35 

With reference to Figure 1, there is illustrated an 
Internet access network in which the Internet is 
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identified by the reference numeral 1. Point-to-point 
connections (i.e. logical connections) made via the 
Internet 1 are identified by dashed lines whilst 
physical connections are identified by solid lines. A 
5 terminal (e.g. personal computer) 2 is a subscriber of a 
public switched telephone network (PSTN) 3 and is 
connected thereto by a modem (not shown) and a 
subscriber line 4 . This PSTN 3 is referred to 
hereinafter as the "home" network of the subscriber 

10 terminal 2. By calling a predefined access number (B- 
number) the subscriber terminal 2 is able to gain access 
to the Internet 1 through an Internet access server 
(IAS) 5 operated by the operator of the PSTN 3. The IAS 
5 provides appropriate protocol conversion (i.e. between 

15 circuit -switched and packet -switched data transmission) 
for data transfer between the Internet 1 and the 
subscriber terminal 2. 

As Internet communications for the subscriber terminal 2 
20 are handled by the home network's own IAS 5, the home 

network is able to combine charges made for the Internet 
access, with normal telephone charges. The operator is 
therefore able to issue the subscriber with a single 
bill covering both services. Furthermore, if the 
25 subscriber terminal 2 accesses a remote Internet Service 
Provider (ISP) 6 which levies a charge for the service 
provided, charging information may be returned to the 
home network 3 for incorporation into this same bill. 

30 Consider now the situation where the subscriber connects 
to the Internet via an IAS 7 of a local area network 
(LAN - not shown in Figure 1) and not through his home 
network. This situation is illustrated in Figure 1 
where the subscriber terminal is indicated by the 

35 reference numeral 8. Before the subscriber terminal can 
gain access to the ISP 6, an authentication and 



wo 99/59375 



PCT/EP99/03085 



9 



10 



15 



authorisation procedure must be completed • This makes 
use of a first Internet node 9, termed a Datanet User 
Service DataBase (DUSDB) , and a second Internet node 10, 
termed an Internet Billing Coordinator (IBC) . Both of 
these nodes 9,10 have assigned thereto respective IP 
addresses such that they represent end-points for data 
.packets tunneled via the Internet . The IP address of 
the DUSDB 9 is in the form of a Universal Resource 
Locator (URL) address. 

The DUSDB 9 is provided with a database 11 containing 
the following tables (further explanation of the table 
fields is given below) : - 

1. Subscriber telephone numbers in the home network 
(A-number) , a username, and a user password. This 
information is used for subscriber authentication. 

2. Connection start time, connection disconnect time, 
disconnect method, username, random part of UID, 
originating IP address. This table is used to store log 
data from subscriber login and logout sessions. 

3. Connection, start time, username, UID, originating 
25 IP address, latest verification time. This table is 

used to enhance system performance. It is used to store 
information after login and before logout. Upon logout, 
the information is transferred to table 2 and missing 
fields are inserted there. The latest verification time 
30 is the time that the most recent verification was 
received from the user applet. 



20 



35 



4. ISP IP address, request time, UID. This table 
contains information on every query made by an ISP to 
the DUSDB. 
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The DUSDB 9 and the IBC 10 are both under the control o£ 
the home network 3 and can therefore be considered as 
secure . 

5 In the procedure to be described below, communications 
between the ISP 6, the DUSDB 9, and the IBC 10, require 
that the identity of the transmitting and receiving 
identity be confirmed. This is achieved using an 
authentication protocol such as Radius. Communications 

10 made using this protocol are indicated in Figure 1 by 
the symbol A. Other communications over the Internet 
can 

be made using the https protocol, indicated in Figure 1 
by the symbol 

15 

The first stage in granting the subscriber terminal 8 
access to the ISP 6, involves the subscriber terminal 8 
logging on to the DUSDB 9. This requires the subscriber 
terminal to request from the IAS 7 an Internet protocol 

20 (IP) address. Logging on is achieved in a similar 

manner to that used for gaining Internet access to bank 
services . The user first enters the URL of the DUSDB 9 
and then sends to the DUSDB 9 the terminal's username 
and (changing) password. When the DUSDB 9 has confirmed 

25 the identity of the subscriber, the DUSDB 9 sends an 
applet to the subscriber teirminal 8, together with a 
user identification (UID) • The applet is installed in 
the subscriber terminal 8 and causes the terminal to 
send a confirmation message to the DUSDB 9 at regular 

30 intervals, e.g. every one minute. If this message is 

not received by the DUSDB 9 within a certain time frame, 
the user is logged off from the DUSDB 9 . For a general 
introduction to applets, see for example "Java in a 
Nutshell", David Flanagan, 2"^ Ed, Chapter 6 (ISBN 1- 

35 56592-262-X) . 
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When the subscriber terminal 8 has successfully logged 
on to the DUSDB 9, the terminal makes an https 
connection to the ISP 6. The ISP 6 then contacts the 
5 DUSDB 9| using the teirminal ' s IP address and UID, to • 
confirm whether or not the subscriber terminal 8 is 
logged on to the DUSDB. 9. A confirmation message is 
returned to the ISP 6 by the DUSDB 9, and the ISP grants 
access to the terminal 8 . 

10 

In the event that the applet generated message is not 
sent to the DUSDB 9 within the required time frame, the 
DUSDB logs off the subscriber terminal 8, and sends a 
message to this effect to the ISP 6 which terminates the 
15 subscriber terminal's access. 

The operation of the network of Figure 1 is illustrated 
by the flow chart of Figure 2. 

20 The solution to providing a single bill for telephone 
and ISP access of Figure 1 works satisfactorily 
providing that the ISP 6 has an appropriate agreement 
with the subscriber's home network 3. If this is not 
the case, then means must be provided for enabling the 

25 operator of the ISP 6 to collect charging information, 
including subscriber identity information, so that the 
operator can bill the home network 3 for services used. 
The home network 3 may then pass on the charges to the 
subscriber using its own charging system. 

30 

A network for achieving this solution is illustrated 
schematically in Figure 3, where elements already 
discussed with reference to Figure 1. are identified with 
like reference numerals (the subscriber's home network 
35 is omitted in the interest of simplicity) . The network 
makes use of communication between the DUSDB 9 
controlled by the home network and a second DUSDB 12 . 
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The second DUSDB 12 is under the control of a foreign 
network, with the ISP 6 having a suitable agreement with 
that network such that the ISP 6 has permission to 
connect to and use the services of the DUSDB 12. 

5 

As described with reference to Figures 1 and 2, the 
subscriber 8 starts by logging on to the DUSDB 9 of the 
home network using his Username and password, and 
receives therefrom an applet and DID. When the 

10 subscriber 8. subsequently requests access to the ISP 6, 
the ISP 6 communicates with its own trusted DUSDB 12 and 
recognises that the subscriber 8 does not have an 
account with the ISP 6 and moreover that the ISP 6 does 
not have an appropriate service agreement with the home 

15 network 3. The ISP DUSDB 12 then contacts the home 
DUSDB 9 and receives thereform all data necessary for 
billing the subscriber 8, including the subscriber's 
home telephone number (A-number) . 

20 The foreign network has its own IBC node 13, which 
receives the necessary billing information from the 
network's DUSDB 12. When the subscriber's connection is 
tenninated, the IBC 13 sends an Internet Charging Data 
Record (CDR) to the foreign network's billing system 

25 (not shown) which in turn forwards a note of the charges 
to the home network's billing system. 

It will be appreciated by the person of skill in the art 
that modifications may be made to the above described 

30 embodiments without departing from the scope of the 

present invention. For example, the network may include 
means for providing the subscriber with the opportunity 
to accept or reject individual charging requests made by 
the ISP 6. For each CDR generated by the IBC 13 in 

35 response to one or more charging information packets 
received by it from the ISP 6, the IBC 13 requests 
authorisation from the home network's DUSDB 9. The 



wo 99/59375 



PCT/EP99/03085 



13 

DUSDB 9 directs this request to the subscriber terminal 
8 using the previously transferred applet. If the 
subscriber accepts the request, then an OK message is 
sent via the DUSDB 9 and the IBC 13 to the ISP 6. 
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1. A method of providing access for a subscriber to 
services of a service provider through a data network, 

5 the subscriber being a subscriber of a home interface 
network, the method comprising the steps of: 

connecting a subscriber terminal to said data 
networks- 
transmitting a log-on request for the subscriber 
10 terminal from the terminal to a node in the data 

network, said node having a data network address and 
comprising a database containing authentication data 
relating to subscribers of the home interface network 
which controls said node; 
15 authenticating the subscriber terminal using the 

data contained in said database and returning 
authentication data to the subscriber terminal; 

transmitting at least part of the authentication 
data from the subscriber terminal to the service 
20 provider ; 

transmitting an authentication request from the 
service provider to the authentication node, and 
returning an authorisation to the service provider; and 
in response to receipt of authorisation from the 
25 authentication node, allowing the subscriber terminal to 
access services of the service provider via the data 
network. 

2. A method according to claim 1, wherein the data 
30 network is the Internet and said node is an Internet 

node having a Universal Resource Locator (URL) address . 

3. A method according to claim 2, wherein the home 
network comprises a telecommunication network, such as a 

35 Public Switched Telephone Network (PSTN) having an 
Internet access server or a modem pool. 
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4. A method according to any one of the preceding 
claims and comprising connecting the subscriber terminal 
to the data network via a visitor network comprising a 

5 PSTN and an access server or modem pool. 

5. A method according to any one of claims 1 to 3 and 
comprising connecting, the subscriber terminal to the 
data network via a local area network and an Internet 

10 access server. 

6. A method according to any one of the preceding 
claims, wherein said database of the authentication node 
contains the address of the subscriber in the home 

15 network, together with a Username and a password, and 
said log-on request contains the Username and password 
which are verified by the node, together with a network 
address allocated to the subscriber terminal in the data 
network. 

20 

7. A method according to any one of the preceding 
claims, wherein the authentication data returned to the 
subscriber terminal comprises an access computer program 
and a user identification (UID) , and at least the UID is 

25 then transmitted from the subscriber terminal to the 
service provider, 

8. A method according to claim 7, wherein the service 
provider polls the network node, using the terminal !s 

30 network address and UID to confirm the continued 
authorisation of the terminal. 

9. A method according to any one of the preceding 
claims, wherein the home network has control of a second 

35 node in the data network, which node also has an address 
in that network and acts as a collector of charging 
information for the service provider. 
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10. A method according to claim 9 and comprising 
recording at the authentication node charging data for 
the subscriber terminal; and subsequently transferring 
this data to the charging node. 

5 

11. A method according to any one of claims 1 to 8, 
wherein the service provider has permission to use the 
services of a second authentication node controlled by a 
foreign network, and the method comprises the steps of: 

10 transmitting an authentication request on behalf of 

the subscriber terminal to the second authentication 
node ; 

when the second node has. verified that ^ the terminal 
is a subscriber of said home network, communicating 
15 between the second authentication node and the 
authentication node of the home network, to both 
authenticate the subscriber terminal and to receive 
subscriber identity data; 

transferring charging data to a charging node 
20 accessible to the service provider from the second 
authentication node; and 

forward charging information to the charging node 
of the home network from the charging node of the 
service provider. 

25 

12. A method according to claim 11 and comprising: 
forwarding individual charging requests from the 

charging node of the service provider to the 
authentication node of the home network; 
30 . referring these requests to the subscriber terminal 

for approval or rejection; and 

transmitting the decision of the subscriber 
terminal back to the service provider's charging node 
via the home network's authentication node. 

35 

13 . Apparatus for providing access for a subscriber to 
services of a service provider through a data network, 
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the subscriber being a subscriber of a home interface 
network, the apparatus comprising: 

connection means for connecting a subscriber 
terminal to a data network; 
5 a data network node having a data network address 

and comprising a database containing authentication data 
relating to subscribers of the home interface network 
which controls said node; 

first transmission means for transmitting a log-on 
10 request for the subscriber terminal from the terminal to 
said node; 

means for authenticating the sxxbscriber terminal 
using the data contained in said database and for 
returning authentication data to the subscriber 
15 terminal; 

second transmission means for transmitting at least 
part of the authentication data from the subscriber 
terminal to the service provider; 

third transmission means for transmitting an 
20 authentication request from the service provider to the 
authentication node, and returning an authorisation to 
the service provider; and 

processing means arranged, in response to receipt 
of authorisation from the authentication node, to allow 
25 the subscriber terminal to access services of the 
service provider via the data network. 
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